posted 9 years ago
Although a quick check of the documentation didn't say, the usual lockout mechanism is to lock the userID, not the IP address. IP addresses are generally locked out at the firewall. Tomcat doesn't mark the account permanently locked like some systems do (requiring a security administrator to explicitly unlock it again. It just keeps a cache of banned IDs with lockout countdown times. Locking out by source IP is very rare. Sometimes a user will have an alternate account that they are authorized to use, and in the case of IPv4 NAT, dozens, hundreds, or even thousands of users would all be carrying the same source IP address. Mostly when I ban an IP it's from some really blatant offender such as Taiwan HINET, which seems to exist solely to provide Internet vandals a home.
Again, the docs didn't say, but I'd expect that a banned ID would be presented with a 403 - FORBIDDEN page.
Incidentally, since the lockout is by ID, not IP, public parts of the webapp should still be accessible to the locked-out user. However any attempt to access a secured URL would again trigger the server's login mechanism and if you them attempted to login using the banned ID, the login would be rejected.
Education won't help those who are proudly and willfully ignorant. They'll literally rather die before changing.